[How-To] How to Access Your FreeNAS Server Remotely (and Securely)

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
I would be happy to write it up, it is just one more approach to access network resources.

As far as running it on your freenas box, I am sure there are ways to get openvpn (for example) running in a jail, but in this case the Untangle software that I use sits on a dedicated box/appliance. Within its guts are the OpenVPN server so I don't need to worry about installing it on something else.

I have not even considered if their software would run in a jail...I doubt it since it is designed to be stand alone, but I have heard of people running it as a VM, so maybe it would be possible.
I have OpenVPN running in a jail, although in this case I think it is configured as a client to work with a commercial VPN service. I don't follow what the 'untangle' is for. I'll wait for the write-up!
 

CP Waite

Dabbler
Joined
Nov 4, 2016
Messages
19
I just wanted to chime in and thank the OP for this thread. Awesome information and written in a way thats easy to understand for fair-to-middling tech people like myself. Cheers!
 

Ken T

Cadet
Joined
Sep 15, 2016
Messages
3
Excellent post! This really helped a lot!

I'm using a Mac and I'm using AFP in order to set-up my time-machine backups. The only issues I faced is that when I'm at home and connected to the local network, the AFP drive is connected based on IP: 196.168.X.X.

However, when using the remote access as below:
ssh -L 15548:192.168..X.X:548 -p 13579 username@XXX.hopto.org

The AFP drive is connected to the hostname 'localhost'.

This creates as issue as Time Machine thinks that they're not the same, and wouldn't back-up.

Do you have any idea how I can configure remote access to AFP and yet still keep the existing IP address (192.168.X.X) when connecting to the AFP?


Thanks and your help is much appreciated!
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
Excellent post! This really helped a lot!

I'm using a Mac and I'm using AFP in order to set-up my time-machine backups. The only issues I faced is that when I'm at home and connected to the local network, the AFP drive is connected based on IP: 196.168.X.X.

However, when using the remote access as below:
ssh -L 15548:192.168..X.X:548 -p 13579 username@XXX.hopto.org

The AFP drive is connected to the hostname 'localhost'.

This creates as issue as Time Machine thinks that they're not the same, and wouldn't back-up.

Do you have any idea how I can configure remote access to AFP and yet still keep the existing IP address (192.168.X.X) when connecting to the AFP?
I don't quite understand. What is an AFP drive? In the ssh command, shouldn't the IP address be replaced by 'localhost'?

I guess I haven't looked to see if Time Machine will run remotely this way. I wonder if it would be reliable. Seems like even over wifi, Time Machine to a sparsebundle sometimes has hiccups, and I imagine it would be worse through the internet.
 

Ken T

Cadet
Joined
Sep 15, 2016
Messages
3
Basically I'm connecting to my Time Machine using the AFP protocol.

As for the ssh command, from my experimentation, localhost or IP address does not matter. I tried to use IP address to see if my Mac would be able to detect the Time-Machine based on IP.

If you see the screenshots below, it shows how the Mac sees the same Time-Machine differently when connected via local network (192.168.X.X) vs remotely (localhost).

I'm hoping to be able to remotely back-up to Time-Machine. Yes, your concerns are valid on sparsebundle hiccups, but I guess its worth trying to be able to back-up over the internet. That would be convenient especially when I'm away from home for long periods of time.


When connecting on local network:
View attachment upload_2016-11-10_21-15-48.png

When connecting remotely:
View attachment upload_2016-11-10_21-15-19.png
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
I'm hoping to be able to remotely back-up to Time-Machine.
It would be nice to figure out how to do this, but I'm afraid it's beyond me. When you execute that ssh command, I THINK it takes everything sent to local port 15548 and sends it to your remote FreeNAS. Time Machine on your laptop is not trying to communicate with local port 15548. I imagine there is a way to get it to do that. I'll experiment some time when I have my laptop on another network.

But let me ask you this. When you connect to the server using "afp://localhost:15548", are you given an option to choose a share? Are you choosing a share that includes your Time Machine backups?

If so, please try this command instead before opening the server share:
Code:
ssh -fgN -L 15548:localhost:548 -C -p 13579 <you>@<yoursubdomain>.hopto.org sleep 120
 
Last edited:

Ken T

Cadet
Joined
Sep 15, 2016
Messages
3
Glorious1, somehow I wasn't able to see your latest post on this thread.

Just to add,When accessing remotely, I'm able to see the same Time-Machine as available. However, it is shown as available on localhost instead of '192.168.0.110' which the Mac is not able to see them as the same.

View attachment upload_2016-11-14_13-40-49.png


I tried again running the following commands you provided, but the results were still the same:
ssh -fgN -L 15548:localhost:548 -C -p 13579 username@XXX.hopto.org sleep 120
 

Btrd2

Cadet
Joined
Aug 23, 2016
Messages
5
Using the method described in the OP, would logging in via HTTP (example: the FreeNAS GUI) be fairly secure because the info would be sent in plain text, but through the established tunnel, correct?

I'm thinking a) a hacker would essentially have to have access to my LAN in order to listen to local port 80, as it is of course the public side is closed or b) have established a tunnel themselves

Any insight welcomed.
 

urdel62

Explorer
Joined
Nov 27, 2016
Messages
53
Hi,
Thanks for this tuto which seems very helpfull.
However my client is running on Windows so I m a bit confused on how doing the first part on a Windows computer.
Any help would be great.
Thanks,
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
Hi,
Thanks for this tuto which seems very helpfull.
However my client is running on Windows so I m a bit confused on how doing the first part on a Windows computer.
Any help would be great.
Thanks,
By 'the first part', are you referring to generating keys? Download PUTTY if you don't have it already. It comes with a program called PUTTYgen.
 

urdel62

Explorer
Joined
Nov 27, 2016
Messages
53
By 'the first part', are you referring to generating keys? Download PUTTY if you don't have it already. It comes with a program called PUTTYgen.
Ok thank you for the tip. :)
And I misread too I thought I had to copy the key on authorized_keys file on the client and not the server. I ll let you know if all s working fine.
 

Yusuf Limalia

Patron
Joined
Apr 5, 2016
Messages
234
By 'the first part', are you referring to generating keys? Download PUTTY if you don't have it already. It comes with a program called PUTTYgen.

Yup this would be the way to do it.

There's a few applications out there to get these done. PuTTYGen is the lightest. bitvise is another alternative.

Link to PuTTY: http://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html?
Link to bitvise: https://www.bitvise.com/ssh-client-download

After you download PuTTYGen
1) Hit Generate
upload_2017-2-13_8-47-4.png


2) Move your mouse cursor over the blank container as instructed

upload_2017-2-13_8-47-57.png


3) It will generate a key for you
upload_2017-2-13_8-48-49.png


4) You need to append to your authorized_keys file as OP instructs, and save your private key. Make sure you include a Key Passphrase before you Save your private key.
It will prompt you in you don't put a Passphrase.

upload_2017-2-13_8-50-46.png


5) Once you have pasted your public key into your auth keys file, you need to tell PuTTY which private key you auth against:
Under PuTTY > Connection > SSH > Auth.
Just browse for your private key, go back to the Session Category and SAVE your session.

upload_2017-2-13_8-52-24.png


upload_2017-2-13_8-53-36.png


When you click open on your Session PuTTY will try and match the public key to your saved private key, then prompt you for the passphrase you set in step 4.
There's many more comprehensive tuts on the web but this is the quick and dirty version.

Don't forget to disable your password auth in FreeNAS.

P.S. I had some difficulty getting the private key to work sometimes on FreeNAS, this being due to some carriage returns being put in after pasting. I then had to manually remove them being careful not to remove any characters. Might work for you if your copy paste abilities are as crude as mine.
 

Ascotg

Dabbler
Joined
Sep 26, 2016
Messages
19
Hi,
Thanks for this tuto which seems very helpfull.
However my client is running on Windows so I m a bit confused on how doing the first part on a Windows computer.
Any help would be great.
Thanks,

I've set this up for Windows as well, but tunneling CIFS/SMB through SSH on Windows is a lot more difficult than it is for MAC/Linux. This guide will help you with that:

http://www.nikhef.nl/~janjust/CifsOverSSH/Win8Loopback.html
 

urdel62

Explorer
Joined
Nov 27, 2016
Messages
53
I've set this up for Windows as well, but tunneling CIFS/SMB through SSH on Windows is a lot more difficult than it is for MAC/Linux. This guide will help you with that:

http://www.nikhef.nl/~janjust/CifsOverSSH/Win8Loopback.html
Thank you
But is all that really necessary for accessing remotely my server via SSH tunnelling. Just Following Glorious1 tuto won't work? That's what I did but it seems that my proxy connection is not working. I think I did all as described for SSH tunnelling. And remote secure SSH with key is well working. Does someone has an idea ?
Thanks,
 

Ascotg

Dabbler
Joined
Sep 26, 2016
Messages
19
Thank you
But is all that really necessary for accessing remotely my server via SSH tunnelling. Just Following Glorious1 tuto won't work? That's what I did but it seems that my proxy connection is not working. I think I did all as described for SSH tunnelling. And remote secure SSH with key is well working. Does someone has an idea ?
Thanks,

Hi, yes all those step I linked are required to make it work. It seems like a lot, but it's actually not that bad. Works just fine with me now.
The problem is that Windows has absolutely nothing built in for SSH or tunnelling (unlike Linux or mac). Let me know if you have any problems with setting up the CIFS tunnel, I struggled too at first.

One problem you might run in with: when creating the start-up task note that the argument for almost every version of windows is different (They're nice that way... o_O)

Also to make life easier I've created a bash file to start-up my connection whenever I need it. Make sure your putty file is working and then save this file below in notepad, but with the extension: ".bat". Create a link to your desktop and put a shiny icon over it. When you double click it, it will ask for your passphrase and start the connection including the tunnel.

Code:
@echo off
start "C:\Program Files (x86)\PuTTY\pageant.exe" "C:\YOURPATHHERE\Key.ppk" -c
pause
@echo off
start /min "" "C:\Program Files (x86)\PuTTY\putty.exe" "-load" "NAMEOFYOURSAVEFILE"
@echo off
net use Y: /persistent:yes


  • Note the pause in my file. It's there in case you misspelled your passphrase. So you need to press Enter twice after your passphrase. Or any key in fact.
  • The "net use Y: /persistent:yes" is there to connect my network drive in the explorer.
  • I use pageant since it's easier to keep track of my SSH keys. It's even convenient for one as this batch program will work with it. You can easily find it online, it's a tiny piece of software. (http://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) Third one from the bottom in the "Alternative binary files" :)
 
Last edited:

urdel62

Explorer
Joined
Nov 27, 2016
Messages
53
@Glorious1

Thank you very much for your tuto. It helped me very much. Though I have some difficulties for SSH tunneling.
My client is running on Windows 10. I can access the server via SSh and key authentification without any troubles. I think my DuckDNS is set up correctly but I don't know how to be sure of that. Just the command returns OK.
Port forwarding should be OK too cause I can access my server with putty using an elevated port number.
And concerning SSH tunnelling, the putty part is working quite well I can access the server. But when I set up the proxy on chrome or IE, it's not working. I can't reach internet or freenas webGUI with local URL.
Do you have any ideas or do you need some more infos ?
Thanks a lot,
 

Ascotg

Dabbler
Joined
Sep 26, 2016
Messages
19
@Glorious1

Thank you very much for your tuto. It helped me very much. Though I have some difficulties for SSH tunneling.
My client is running on Windows 10. I can access the server via SSh and key authentification without any troubles. I think my DuckDNS is set up correctly but I don't know how to be sure of that. Just the command returns OK.
Port forwarding should be OK too cause I can access my server with putty using an elevated port number.
And concerning SSH tunnelling, the putty part is working quite well I can access the server. But when I set up the proxy on chrome or IE, it's not working. I can't reach internet or freenas webGUI with local URL.
Do you have any ideas or do you need some more infos ?
Thanks a lot,

  • You can check your DuckDns by pinging and checking the IP code on that.
  • Concerning the SSH tunnel for your browser. Check the tunnel settings, make sure it's set to dynamic. I've never used Chrome or IE for this, but Firefox works great for me. Also when there's a box that says: "No proxy for ..." make sure to delete localhost from that list or it will just skip your proxy for that.
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
My client is running on Windows 10. I can access the server via SSh and key authentification without any troubles. I think my DuckDNS is set up correctly but I don't know how to be sure of that. Just the command returns OK. Port forwarding should be OK too cause I can access my server with putty using an elevated port number.
If you are able to SSH in remotely (not on your local network, but via the internet), and you are doing it through duckdns, then there is no problem with your setup of duckdns and port forwarding etc.
And concerning SSH tunnelling, the putty part is working quite well I can access the server. But when I set up the proxy on chrome or IE, it's not working. I can't reach internet or freenas webGUI with local URL.
Do you have any ideas or do you need some more infos ?
Thanks a lot,
You haven't given enough information on this part to help you. All I can tell you is, with the directions in the original post, I am able to use Firefox on my Windows computer at work to browse my local network. I suggest you post an image of your PuTTY tunnels dialog and your settings in Firefox.

I'm not sure about what @Ascotg just said, deleting localhost from "No proxy for . . .". in Firefox. I did not delete it (according to the screenshot in the original post, but I'm not at work so can't double-check it), and it works for me.
 

urdel62

Explorer
Joined
Nov 27, 2016
Messages
53
@Glorious1 , @Ascotg
Thanks, but it is still not working with Firefox (even when I remove localhost from "No proxy".
Actually there might be an error with duckdns cause it is not responding when I ping it. I attach posts of my putty and firefox settings to see if there is any mistakes. Thanks,
PS : it's in french but I think you wouldn t have any difficulties to translate :)
 

Attachments

  • putty1.PNG
    putty1.PNG
    31.3 KB · Views: 584
  • ping.PNG
    ping.PNG
    154.1 KB · Views: 558
  • putty2.PNG
    putty2.PNG
    51.3 KB · Views: 569
  • firefox.PNG
    firefox.PNG
    501.3 KB · Views: 551
Top